Firebase Sign in with Apple returns invalid-credential despite valid Apple token (Flutter iOS)

I’m implementing Sign in with Apple on iOS using Flutter + Firebase Auth. Apple returns a valid token but Firebase rejects it with:

firebase_auth/invalid-credential — Invalid OAuth response from apple.com

Environment:

• firebase_core: 4.6.0

• firebase_auth: 6.3.0

• sign_in_with_apple: 7.0.1

• Flutter (latest stable)

• iOS deployment target: 16.0

• Testing on physical device via TestFlight (not simulator)

Flutter code (auth_service.dart):

final rawNonce = _generateNonce();
final nonce = _sha256ofString(rawNonce);

final appleCredential = await SignInWithApple.getAppleIDCredential(
  scopes: [AppleIDAuthorizationScopes.email, AppleIDAuthorizationScopes.fullName],
  nonce: nonce,
);

final oauthCredential = OAuthProvider('apple.com').credential(
  idToken: appleCredential.identityToken,
  rawNonce: rawNonce,
);

return await _auth.signInWithCredential(oauthCredential);

Nonce generation:

String _generateNonce([int length = 32]) {
  const charset="0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvwxyz-._";
  final random = Random.secure();
  return List.generate(length, (_) => charset[random.nextInt(charset.length)])
      .join();
}

String _sha256ofString(String input) {
  final bytes = utf8.encode(input);
  final digest = sha256.convert(bytes);
  return digest.toString();
}

Verified on-device — token claims decoded and confirmed correct:

• iss:

• aud: matches bundle ID exactly

• nonce: present, correctly SHA-256 hashed

• exp: not expired

• email_verified: true

• nonce_supported: true

Apple Developer config — all verified correct:

• App ID has Sign in with Apple enabled as Primary App ID

• Services ID configured with correct Firebase return URL (https://.firebaseapp.com/__/auth/handler)

• Key registered with SIWA capability, associated with correct Primary App ID

• Team ID confirmed in Apple Developer → Membership

What I’ve tried:

• Deleted and re-added the Firebase Apple provider from scratch

• Re-pasted the .p8 key multiple times via different methods

• Generated a brand new key and updated Firebase — error persists

• Tried bundle ID in the Services ID field instead of Services ID — no change

• GCP audit logs show 0 results for identitytoolkit — cannot see server-side rejection reason

Email/password sign-in works fine on the same project. The rejection happens server-side inside Firebase Auth — Apple’s side is confirmed correct.

Has anyone seen Firebase reject a valid Apple token with this error? Is there a known project-level misconfiguration that isn’t visible from the console?

Any pointers appreciated! Have spent over 6 hours on this already… TIA